WingNews logo WingNews
top | item 6683743

(no title)

bolder88 | 12 years ago

No, we shouldn't bother trying to plug those leaks.

Current situation:

  * You request website A, which includes 3rd party code from C. C drops a cookie
  * You request website B, which includes 3rd party code from C. C knows you previously visited A.
New situation:

  * You request website A, which includes 3rd party code from C. Website A sends details of your visit via a backchannel to C.
  * You request website B, which includes 3rd party code from C. Websites B sends details of your visit via backchannels, and C knows you previously visited A.
Wouldn't you rather such tracking to be out in the open and easily blocked - stop accepting cookies, rather than them creating backchannels to track you instead?

Yes - You should give up if you think you will able to continue sending websites HTTP requests directly, whilst not being tracked.

discuss

order

jrochkind1|12 years ago

I'm not sure. Those backchannels would be enormously more expensive and technically challenging for the commercial entities to do right.

So, yeah, I see your point, but maybe I _would_ rather make it much more expensive to do that, and much harder for them to do it succesfully rather than messing up a technical detail.

On the other hand, I guess eventually they'd get it right in commodity software that everyone can use. Eventually.

Really, I don't know why anyone that wants to do the kind of tracking we're talking about is using cookies anyway, instead of user-agent fingerprints that have been shown to be pretty much unique anyway. So the cookies is perhaps all a distraction. The browser makers don't need to invent a new cookie-less browser fingerprint tracking system, they've already got it with the over-specialized user-agents.

paulgb|12 years ago

If you block third-party cookies, C has no longer has a reliable way to know that you are the same visitor on both requests. (Unless you're suggesting that C is stuffing a UID in the cache or something?)

gcb0|12 years ago

C can already infer that. Google probably does that on their free CDN stuff.

you have unique combination of IP+UserAgent+extra Headers. That is enough. A and B does not even have to send anything. And this will continue to work even without cookies.

gcb0|12 years ago

This move is to prevent you from being tracked against website A and B will.

For example, google provides jquery CDN. website A and B uses that to save some cents on bandwidth. Google now knows you visited which pages on website A and B. and if A was a backpack store and B was a pressure cooker review, expect the NSA :D